Businesses have reached a compliance breaking point and many organisations are finding themselves more vulnerable to reputation risk due to new compliance-related legislation being rolled out around the world. 


This is according to a report, commissioned by McAfee and conducted by Dr Jonathan Liebenau, senior lecturer in information systems: Department of  management at the London School of Economics (LSE), which suggests that businesses are struggling to put the necessary IT security resources in place to comply  with government regulations.
Titled “International Perspectives on Information Security Practices”, the research – believed to be the first of its kind – warns that a firm’s reputation could be damaged by disclosure laws now in force in the US and that look set to become more widespread globally.
The report also reveals that many businesses are reliant on a very limited number of specialists who can manage information risks and understand compliance.
Companies that lose these internal capabilities often struggle to find replacements either on the labour market or through outsourcing.
Perhaps the best example of the direct link between IT security and the strategic business function is the requirement to give public notice of a security breach.
This has been law in the US since 2004, but poses serious risks for business reputation, and business continuity. A recent survey by the Ponemon Institute in the US revealed that one third (34%) of customers would change their bank after one security breach.
Dr Liebenau found that by mid 2006, reports of security breaches in the US were numbering between eight and 10 per week. To date almost 94-million records containing sensitive personal information have been involved in security breaches.
“The mandatory reporting of security breaches will have far-reaching implications on a business’ reputation-management,” says Dr  Liebenau. “The practice of reporting breaches, now commonplace in the US and quickly spreading to several regions in the world, will impact the way individuals and organisations think about information handling in general and reputation protection in particular.”
Surprisingly, compliance requirements may be increasing security risk as guidelines, standards and compliance worries overshadow business security needs, as the costs involved in monitoring and meeting compliance requirements can take resources away from dealing with live security threats.
Researchers found that CIOs, security officers and IT directors believe compliance is playing an ever increasing role in IT security, but many businesses are struggling to cope with its requirements. According to one banking security expert in the UK: “We understand SOX and what it’s good for, but in practice you do what you can.”
The key findings in this area are:
* Evaluation of security practices is often very subjective due to a lack of good benchmarks.
* There is no convergence of the security practices within businesses. Those responsible for policies are often different from those who manage and maintain the system security.
* Information security executives and managers resent the considerable effort spent on monitoring changes in policies and regulations and then re-designing systems in order to comply with these changes.
The consensus among computer security professionals is that the SOX Act has been a boon to information security in the US, elevating the importance of IT security within corporate life. However, there is a widespread view among the senior IT personnel interviewed that the Act is both too vague in its specifications, and at the same time too prescriptive in its implications.